Researchers have known for a long time that many users don’t pay much attention to updating the third-party software, browser plugins and extensions, and that lack of care has been to the benefit of attackers for years. Attacks on Flash, Java, QuickTime and various other ubiquitous apps have been a major concern for Windows users for the better part of a decade, and now that same situation is presenting itself to Mac users.
The Flashback malware that has been exploiting a vulnerability in Java has brought the reality of attacks on third-party applications to the fore for OS X customers. Java is everywhere on the Web, and many non-technical users aren’t necessarily aware of the need to update it frequently or of the exalted place it holds in the hearts of attackers. That same ubiquity that makes Java a useful tool for developers and site owners makes it a highly attractive target for the bad guys.
Failing to update plugins and other software can make life much easier for the attackers, and it seems that there’s a pretty large population of users out there who are doing just that. Statistics compiled by the researchers at Kaspersky Lab show that half of the users who have visited the company’s Flashbackcheck.com site to see whether their machines are infected by the malware are running old versions of Java.
“50% of all visitors of our Online #FlashbackChecker http://flashbackcheck.com are running a vulnerable version of Java,” Aleks Gostev, chief security expert at Kaspersky said on Twitter Wednesday.
Oracle updates Java on a regular basis and Windows users can enable an option to automatically download new versions from Oracle. However, Apple doesn’t allow Oracle to ship updates for Java to Mac users directly. Instead, Apple updates Java on Mac itself. So, if users don’t take the updated Java software from Apple, they will still be running older, vulnerable versions.
The most recent variant of Flashback exploits a vulnerability in Java to infect users through a drive-by download. That version emerged in late February, but it wasn’t until last week that Apple issued a fix for Java to close the hole that Flashback was exploiting.